Test Methodology: All benchmarks were conducted in March 2026 using a 1000Mbps fiber connection on VPN07 servers. We measured average download speed, latency (ping), connection stability (packet loss %), and CPU usage across 5 protocols: VMESS, VMESS+TLS, VLESS, VLESS+Reality, and Trojan. Each test ran for 30 minutes with results averaged across 10 sessions.
Choosing the right proxy protocol in Clash can make the difference between a smooth 4K stream and a buffering nightmare. With so many options available in 2026 โ VMESS, VLESS, Trojan, Shadowsocks, and variants like VLESS+Reality and Hysteria2 โ it can be confusing to know which one to use.
This guide cuts through the confusion with real-world benchmark data and practical recommendations. We'll explain how each protocol works technically, show you actual speed and latency results, and tell you exactly which protocol to use for your specific situation.
Protocol Speed Comparison at a Glance
| Protocol | Avg Speed | Latency | Packet Loss | Detection Risk |
|---|---|---|---|---|
| VLESS + Reality | 940 Mbps | 12ms | 0.01% | Very Low |
| Trojan | 915 Mbps | 14ms | 0.02% | Very Low |
| VLESS | 900 Mbps | 13ms | 0.03% | Low |
| VMESS + TLS | 870 Mbps | 16ms | 0.05% | Low |
| VMESS | 820 Mbps | 18ms | 0.08% | Moderate |
๐ Summary: VLESS + Reality Wins Overall
In our 2026 tests, VLESS with Reality transport emerged as the top performer โ delivering the highest average speeds, lowest latency, and the best detection resistance. Trojan is a close second and may be preferable in environments where you want maximum TLS disguise without additional configuration. Classic VMESS, while still functional, shows noticeably higher overhead and lower speeds than newer alternatives.
VMESS: The Original V2Ray Protocol
VMESS (V2Ray Message) was the protocol that launched the modern proxy ecosystem. Developed as part of Project V in 2016, it quickly became the de facto standard for bypassing deep packet inspection in China and other restricted environments.
How VMESS Works
VMESS uses a stateless protocol with UUID-based authentication. Each request includes an encrypted header containing authentication data, timestamp, and routing information. The payload is encrypted using AES-128-GCM or ChaCha20-Poly1305. VMESS operates over TCP, with optional WebSocket, gRPC, or HTTP/2 transport.
โ Strengths
- โข Mature protocol with wide client support
- โข Multiple transport layer options
- โข Flexible mux multiplexing
- โข Built-in encryption
โ Weaknesses
- โข Higher protocol overhead vs newer options
- โข Timestamp dependency (ยฑ90 seconds)
- โข Actively fingerprinted by some DPI systems
- โข Slower than VLESS in benchmarks
โก When to Use VMESS
VMESS is a solid choice when you need maximum compatibility โ especially if you're using older Clash clients that may not yet support VLESS or Reality transport. It also pairs well with WebSocket + TLS transport for environments where standard TCP is blocked. However, if you have the option, VLESS or Trojan will give you better performance.
VLESS: The Lightweight Successor
VLESS is the next-generation evolution of VMESS, introduced in V2Ray 4.27 (late 2020) and now the default recommendation for new deployments. The core philosophy: remove everything that isn't essential.
The Key Difference: No Built-in Encryption
VLESS deliberately removes VMESS's built-in encryption, relying entirely on the transport layer (TLS, Reality) for security. This seemingly counterintuitive design actually makes VLESS faster and more secure because:
- ๐น No double encryption: When TLS is used, VMESS encrypts data twice (protocol layer + TLS). VLESS only encrypts once via TLS โ less CPU overhead, faster speeds.
- ๐น Simpler header: VLESS headers are smaller and have no timestamp dependency, making them harder to identify by timing analysis.
- ๐น Reality transport: VLESS pairs perfectly with Reality transport (see below), making it indistinguishable from regular HTTPS traffic to real domains like Microsoft or Cloudflare.
๐ก๏ธ VLESS + TLS
Standard configuration. Traffic is wrapped in TLS using your domain's certificate. Fast and reliable, but DPI systems can detect the TLS handshake pattern doesn't match a real website.
Best for: General use, mid-level security requirements
๐ VLESS + Reality
Borrows TLS certificates from real websites (e.g., microsoft.com). Traffic is completely indistinguishable from visiting the real site. The highest-security VLESS configuration available.
Best for: Maximum detection resistance, high-security needs
Trojan: The HTTPS Impersonator
Trojan takes a completely different approach to evasion: instead of wrapping proxy traffic in TLS, Trojan is TLS. It runs on port 443 and presents a valid HTTPS certificate to any connection that doesn't provide the correct password. From the outside, a Trojan server looks identical to a regular HTTPS web server.
How Trojan Achieves Near-Perfect Disguise
When a censor probes your Trojan server directly, the server responds with a real HTTPS webpage โ not a proxy response. Only clients that send the correct SHA-224 password hash in the request header receive proxy service. For everyone else, it's an ordinary website.
โ Strengths
- โข Indistinguishable from HTTPS traffic
- โข Extremely low protocol overhead
- โข No special transport needed โ port 443 native
- โข Excellent performance on high-latency links
โ Weaknesses
- โข Requires valid TLS certificate + domain
- โข Slightly more complex server-side setup
- โข No built-in multiplexing (unlike VMESS/VLESS)
๐ฏ When to Use Trojan
Trojan excels in environments with heavy deep packet inspection. Its native TLS-on-443 design means it's extremely difficult to block without also blocking all HTTPS traffic. If you're in a high-security environment (enterprise network, countries with aggressive censorship), Trojan is your most reliable option. VPN07's Trojan nodes consistently deliver 900+ Mbps with sub-15ms latency.
Shadowsocks: The Classic That Still Works
No protocol comparison would be complete without Shadowsocks. The original modern proxy protocol, created in 2012, remains widely used thanks to its simplicity and excellent ecosystem support.
The newer Shadowsocks-2022 specification significantly improves on the original โ better replay protection, optional multiplexing, and improved performance. However, Shadowsocks traffic can still be identified by DPI systems due to the distinctive initial handshake pattern, making it less suitable for high-censorship environments compared to VLESS+Reality or Trojan.
Which Protocol Should You Choose?
๐ Maximum Speed + Stability โ VLESS + Reality
For users who want the best possible performance and are running Clash Meta or Clash Verge Rev with up-to-date configurations. This combination delivers the highest throughput, lowest latency, and best detection resistance. VPN07's premium nodes support VLESS+Reality on all major server locations.
๐ก๏ธ High Security + Reliability โ Trojan
For users in environments with heavy traffic inspection โ hotel networks, enterprise WiFi, countries with aggressive censorship. Trojan's native HTTPS disguise is extremely difficult to block. Speed is excellent at 915+ Mbps with VPN07 nodes.
๐ฑ Maximum Compatibility โ VMESS + TLS
If you're using older devices, less-updated Clash clients, or need to ensure compatibility across many platforms. VMESS+TLS is supported by virtually every Clash-compatible client released since 2019.
โก Low-Powered Devices โ Shadowsocks-2022
For routers, old phones, or other constrained hardware. Shadowsocks has extremely low CPU overhead โ important when running a proxy on a device with a slow processor. The new 2022 variant significantly improves security over the classic version.
Protocol Support in Clash Clients (2026)
| Client | VMESS | VLESS | Reality | Trojan | SS-2022 |
|---|---|---|---|---|---|
| Clash Verge Rev | โ | โ | โ | โ | โ |
| ClashMeta (Android) | โ | โ | โ | โ | โ |
| Stash (iOS) | โ | โ | โ | โ | โก Partial |
| ClashX Pro (Mac) | โ | โ | โก Partial | โ | โ |
VPN07 supports all five protocols across its entire 70+ country node network. When you import your VPN07 Clash subscription, the config automatically selects the best available protocol for each server. Our 1000Mbps nodes are available in your choice of VMESS, VLESS, VLESS+Reality, Trojan, or Shadowsocks-2022 โ just pick the one that suits your needs or let the auto-select proxy group choose for you.
The Emerging Alternatives: Hysteria2 and TUIC
Beyond the four main protocols, two newer options have gained significant traction in 2026 and deserve mention for users seeking next-level performance in challenging network conditions.
โก Hysteria2
Based on QUIC (HTTP/3) protocol, Hysteria2 was designed specifically for high-latency, high-packet-loss networks. On lossy connections (mobile networks, satellite internet), it can outperform TCP-based protocols by 3-5x.
Tested speed on 10% packet loss: 680 Mbps vs VLESS's 210 Mbps โ a massive 3.2x difference.
๐ท TUIC v5
Another QUIC-based protocol combining low-latency 0-RTT handshakes with strong security. TUIC v5 delivers excellent performance on both stable and unstable connections, with lower CPU usage than Hysteria2.
Advantage: Best for mobile users who frequently switch between WiFi and cellular networks.
Both Hysteria2 and TUIC are supported in Clash Meta (Mihomo) and Clash Verge Rev. However, they require UDP support on the network โ some corporate firewalls or strict ISPs may block UDP traffic, making TCP-based protocols like Trojan or VLESS more reliable in those environments.
CPU & Resource Usage Comparison
Beyond raw speed, protocol choice also affects device battery life and CPU usage โ especially important on mobile devices and low-powered hardware like routers.
VLESS + Reality
Single encryption layer, minimal overhead. Best choice for battery-sensitive devices.
Trojan
Efficient TLS implementation with standard TLS 1.3 cipher suites. Excellent for mobile.
VMESS
Double encryption when used with TLS. Heavier on older devices and router CPUs.
๐ฑ Mobile Battery Impact
In our 3-hour mobile testing sessions (streaming at 1080p), VLESS+Reality consumed approximately 8% battery versus VMESS's 14%. Over the course of a day's typical usage, this difference translates to roughly 30-45 minutes of extra battery life. For frequent travelers and remote workers, choosing VLESS or Trojan is a meaningful quality-of-life improvement.
Real-World Scenarios: Which Protocol Wins?
๐ฅ 4K Video Streaming (Netflix, YouTube)
Winner: VLESS+Reality4K streaming requires sustained 25-50 Mbps throughput with minimal jitter. VLESS+Reality maintained consistent 940 Mbps with zero buffering in 2-hour test sessions. Trojan was a close second. VMESS showed occasional micro-stutters at peak hours due to higher latency variance.
๐ฎ Online Gaming (Low Latency Priority)
Winner: TrojanFor gaming, latency stability matters more than raw throughput. Trojan delivered the most consistent latency (14ms ยฑ2ms variance) versus VLESS (13ms ยฑ3ms) and VMESS (18ms ยฑ6ms). The native TLS implementation in Trojan has fewer jitter-inducing processing steps.
๐ผ Corporate / Enterprise Networks
Winner: TrojanEnterprise firewalls typically perform deep packet inspection and block known proxy signatures. Trojan's HTTPS disguise on port 443 passes through virtually all corporate firewalls without triggering alerts. VLESS+Reality is an equally strong alternative. VMESS without TLS is the worst choice here โ easily detected.
๐ก Poor Network Conditions (High Packet Loss)
Winner: Hysteria2On networks with 10%+ packet loss (mobile data, public WiFi, certain ISPs), QUIC-based protocols dominate. Hysteria2 maintained 680 Mbps under 10% packet loss while all TCP protocols dropped below 200 Mbps. If you're frequently on poor connections, Hysteria2 is the right choice.
๐ฅ๏ธ Old Devices / Routers
Winner: Shadowsocks-2022On MIPS or ARM32 routers with single-core CPUs running at 580 MHz, Shadowsocks-2022 with AES hardware acceleration (where available) outperforms all other protocols due to minimal processing overhead. For Raspberry Pi users, older Android phones, or budget routers, SS-2022 is the pragmatic choice.
Sample Clash Configuration Snippets
Here are minimal example configurations for each protocol type in Clash YAML format. VPN07's subscription includes pre-built configurations โ you don't need to write these manually, but understanding them helps with troubleshooting.
# VLESS + Reality Example
proxies:
- name: "VPN07-JP-VLESS-Reality"
type: vless
server: jp.vpn07.com
port: 443
uuid: your-uuid-here
network: tcp
tls: true
flow: xtls-rprx-vision
reality-opts:
public-key: your-public-key
short-id: abc12345# Trojan Example
proxies:
- name: "VPN07-SG-Trojan"
type: trojan
server: sg.vpn07.com
port: 443
password: your-password-here
sni: sg.vpn07.com
skip-cert-verify: falseWhen you subscribe to VPN07 and import the Clash config, all nodes are pre-configured with the correct settings for each protocol โ including UUID, passwords, SNI values, and Reality keys. You simply import the subscription URL and start using the fastest available protocol immediately.
VPN07: All Protocols, One Subscription
VMESS, VLESS, Reality, Trojan, SS-2022 โ all supported
VPN07 supports every major Clash protocol across 70+ country nodes with 1000Mbps bandwidth. One subscription gives you access to all protocols โ no need to switch providers when you want to try a different setup. Trusted for over 10 years with a 30-day money-back guarantee.
Related Articles
Clash VPN Setup 2026: Complete Guide for Windows, Mac, iOS & Android
Step-by-step Clash installation and configuration for every major platform.
Read More โ Clash ClientsClash Meta vs Clash for Windows 2026: Ultimate Comparison Guide
Which Clash client should you use in 2026? A detailed feature-by-feature comparison.
Read More โ